Page 266 - Cyber Defense eMagazine September 2025
P. 266

Factor  Authentication  (MFA).  The  device  posture  check  is  also  performed  during  this  phase,  where
            corporate guidelines are evaluated against users’ endpoints to ensure OS versions, anti-virus software,
            disk encryption, and other security measures are running on the endpoint. On successful authentication,
            the  client  downloads  the  user-specific  and  device-specific  configuration  profile.  The  configurations
            include,

               1.  Routing Policies – Specific routes to the applications in the cloud or data center are downloaded
                   to  ensure  the  shortest  path  to  applications.  Sometimes,  direct  routing  between  the  SD-WAN
                   devices is enabled to reach applications hosted at specific sites directly.
               2.  DNS  Settings  –  The  split  DNS  feature  improves  performance,  lowers  latency,  and  boosts
                   security. Resolve all internal domain names using the internal enterprise DNS server. This allows
                   quick access to internal applications and prevents internal domain names from being exposed to
                   external DNS servers. To offload the internal DNS infrastructure, resolve public domain names
                   through trusted cloud public DNS servers.
               3.  Device Location – The client's location is crucial so that the correct information is downloaded
                   and users are connected to the closest gateway, thereby optimizing performance.



            The next phase is gateway connectivity, where the client sends probes to gather real-time metrics, such
            as gateway proximity and load. This helps the client establish a secure connection with a well-functioning
            SASE gateway. For example, multiple gateways are deployed across the East Coast, Central, Midwest,
            and West Coast of the US. Users in Chicago should connect to the Central gateway, as it is likely the
            closest to users. If the gateway in Central is not healthy, the device may connect to the next closest
            gateway, which is likely an East Coast gateway. Device posture checks are periodically performed, even
            after  the  device  is  connected  to  the  gateway,  to  uphold  zero-trust  policies  and  ensure  business
            compliance.



            TLS Certificate Management:

            A well-known public key infrastructure is used to secure control and data traffic between the SASE client
            and gateways. Enterprises can choose to use a single certificate for all SASE gateways or a separate
            certificate for each gateway. The recommendation is to deploy the latter approach as it is considered
            more secure. Enterprises can leverage the orchestration platform to automate the lifecycle of certificate
            management, making operations more straightforward.



            Data Compliance

            Data laws vary across the globe. Many countries have stringent laws that make it invalid to transfer and
            process data beyond their borders.  Here, SASE infrastructure becomes a significant factor in supporting
            these  countries’  laws.  Traffic  is  locally  routed  to  ensure  compliance  and  not  compromise  network
            performance.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          266
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   261   262   263   264   265   266   267   268   269   270   271